Cannot find how to set up User Groups

Hi,
I am evaluating Pritunl and have signed up for Pritunl Premium.
The User Groups feature would appear to provide the ACL capability I would like have but I cannot find how to implement it.
Questions?

  1. Is it available on the Premium version?
  2. Assuming it is available, where can I find detail on how to set it up?
  3. If it is not available on Premium, is there another practical way to limit clients access to some resources?

Thank you for any assistance.
Regards

An enterprise subscription is required for the groups option. Organizations should be used as groups. If there are overlapping access control requirements the groups option can be used instead.

To use user groups all singe sign-on users must be in one organization. The organization then needs to be attached to all servers. Then the groups option in each server can be configured to select which user groups will have access to that server.

To apply user groups the following commands will switch the single sign-on from matching organizations to copying the groups from the single sign-on provider to the Pritunl user. For SAML providers the groups SAML attribute can be used to set the user groups.

sudo pritunl set app.sso_azure_mode '"groups"'
sudo pritunl set app.sso_authzero_mode '"groups"'
sudo pritunl set app.sso_google_mode '"groups"'

It is also possible to manually set user groups in the user settings but this would be overwritten if the user is using single sign-on.

4 Likes

Hi Zach,
Thank you for your extremly prompt response (as always!).
The combination of US$ and the price per month makes the Enterprise option a “bridge too far” for our small organisation. With the rapidily changing rate between AU$ and US$, too hard to even budget! :anguished:

Nice product BTW.
Regards

Hi Zach,
For clarity, in the Premium version, can I assume that there is no way to restrict what users can access?
Just in case I am missing something obvious.
Regards

Organizations are intended to function as groups. Users will only have access to the servers that the users organization are attached to. Multiple servers can be created to handle different sets of routes. The user groups are only intended for configurations that can’t be handled by multiple organizations.

Does this mean it doesn’t matter what Azure AD group the user is a member of? As long as they are a user is the Azure Ad organization that is connected to the server?

The Azure groups would be matched to an existing Pritunl organization by default. If the groups mode is used then the Azure groups would be copied to the Pritunl user groups. Assuming the server has groups configured then both the organization and at least one group must match. If the server has no groups configured user groups are ignored and only the organization must match.